turbot/aws_compliance

Control: 7 Password policies for IAM users should have strong configurations

Description

To access the AWS Management Console, IAM users need passwords. As a best practice, Security Hub highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the AWS Management Console. Use AWS Single Sign-On (AWS SSO) to create or federate the user, and then assume an IAM role into an account.

To learn more about identity providers and federation, see Identity providers and federation in the IAM User Guide. To learn more about AWS SSO, see the AWS Single Sign-On User Guide.

If you need to use IAM users, Security Hub recommends that you enforce the creation of strong user passwords. You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for passwords. When you create or change a password policy, most of the password policy settings are enforced the next time users change their passwords. Some of the settings are enforced immediately. To learn more, see Setting an account password policy for IAM users in the IAM User Guide.

Remediation

To remediate this issue, update your password policy to use the recommended configuration.

  1. Sign into the AWS console, and navigate to IAM Console.
  2. Choose Account settings.
  3. Select Requires at least one uppercase letter.
  4. Select Requires at least one lowercase letter.
  5. Select Requires at least one non-alphanumeric character.
  6. Select Requires at least one number.
  7. For Minimum password length, enter 8.
  8. Choose Apply password policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_iam_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_iam_7 --share

SQL

This control uses a named query:

iam_account_password_policy_strong_min_length_8

Tags